Hacking the New York Times

There’s news out of the New York Times this morning–about the New York Times. A long article details how hackers, whom the paper’s bosses believe are in China, stole the passwords of Times employees, accessed the e-mail accounts of some reporters, and rooted around the Times networks for four months. The intruders appeared to be looking for the names of people who might have given information to a Times reporter working on a major expose of a top Chinese government official.

From the paper:

“The timing of the attacks coincided with the reporting for a Times investigation, published online on Oct. 25, that found that the relatives of Wen Jiabao, China’s prime minister, had accumulated a fortune worth several billion dollars through business dealings.

“Security experts hired by The Times to detect and block the computer attacks gathered digital evidence that Chinese hackers, using methods that some consultants have associated with the Chinese military in the past, breached The Times‘s network. They broke into the e-mail accounts of its Shanghai bureau chief, David Barboza, who wrote the reports on Mr. Wen’s relatives, and Jim Yardley, The Times‘s South Asia bureau chief in India, who previously worked as bureau chief in Beijing.”

As a journalist–that is, someone who goes to considerable lengths to protect the information I collect and the identities of people I talk to–this is a chilling revelation. Deeply unsettling. And sadly, not at all surprising.

Foreign intelligence services have been targeting US corporations, members of Congress and their staff, think tanks and law firms, and defense contractors for years. In every instance, the spies are after secret, proprietary information, with an eye towards getting strategic advantage over US companies and the government. News reporters, particularly those in regular contact with foreign and US sources in governments and the private sector, would be prime targets for any credible intelligence service. I reported in 2011 that spies may have tried to impersonate a well-known Washington journalist, Bruce Stokes, in order to spy on the State Department. We journalists are low-hanging fruit.

“Security experts found evidence that the hackers stole the corporate passwords for every Times employee and used those to gain access to the personal computers of 53 employees, most of them outside The Times‘s newsroom.”

Yikes.

Presumably, any reporter working in China is exercising some strong operational security. Hopefully, he’s not keeping notes on a computer, not exchanging e-mails with sources, and limiting electronic communications. But it sounds like once the spies got into the network, via spear phishing, they had freedom to roam and gather information about many reporters.

“Computer security experts found no evidence that sensitive e-mails or files from the reporting of our articles about the Wen family were accessed, downloaded or copied,” said Jill Abramson, the Times‘s executive editor. That’s somewhat surprising, considering how long the intruders were inside the network.

Note, though, Abrams says no “sensitive” e-mails were accessed. That doesn’t mean other, non-sensitive emails weren’t read. And the Times article doesn’t say–nor could experts know–whether the spies were able to glean any insights about a reporter’s sources by examining the names of people sending e-mails, which one could see just by looking at the inbox, without having to open the e-mail or copy it.

It could be that the paper’s security consultant, Mandiant, was able to prevent any massive exfiltration of sensitive information. Or maybe the spies just managed to find what they were looking for and didn’t need to siphon off files. The Times article gives a pretty broad description of the cat and mouse game between the spies and the security experts.

“To get rid of the hackers, The Times blocked the compromised outside computers, removed every back door into its network, changed every employee password and wrapped additional security around its systems.”

It seems that reporters weren’t alerted to the ongoing investigation, which makes sense if Mandiant didn’t want to tip anyone off to the investigation. (These are reporters, after all.) One Times scribe I know only found out about the past months events after reading the paper this morning.

Reporters’ passwords were reset, apparently to the frustration of some.

“I would like to apologize to the NYT computer support folks I snapped at after they reset my password without warning,” national reporter John Schwartz wrote in a tweet.

In reply, national security reporter Charlie Savage, tweeted, “Explains a lot of bustling yet somewhat inexplicably furtive activity by the IT support staff in recent months.”

“[Y]es, and a lot of yelling by writers on deadline!” wrote Schwartz.

It would seem, based on the Times account, that the intruders were only interested in reporting about the Wen family. Mandiant found “no evidence” that those stolen passwords were used to seek any other kind of information. That suggests that this intrusion was targeted and disciplined.

However, the Times called the intrusion “part of a broader computer espionage campaign against American news media companies that have reported on Chinese leaders and corporations.”

“Last year, Bloomberg News was targeted by Chinese hackers, and some employees’ computers were infected, according to a person with knowledge of the company’s internal investigation, after Bloomberg published an article on June 29 about the wealth accumulated by relatives of Xi Jinping, China’s vice president at the time. Mr. Xi became general secretary of the Communist Party in November and is expected to become president in March. Ty Trippet, a spokesman for Bloomberg, confirmed that hackers had made attempts but said that ‘no computer systems or computers were compromised.'”

No customer data was stolen from the Times, security experts said.

If the Times‘s reporting is accurate, we should presume that the attacks on it and Bloomberg are the tip of the proverbial iceberg. I’d imagine news rooms across town and across the country today are going to search their networks for any suspicious activity. For its part, the Times became suspicious after learning of warnings from Chinese government officials that the investigation of Wen would “have consequences.” On October 24, 2012, executives at the paper asked AT&T, which monitors the Times‘s networks, “to watch for unusual activity.”

At least one security expert is sounding a skeptical note on all this, saying the Times has no basis for pointing the finger at China. Jeffrey Carr wrote on his blog:

“This article appears to be nothing more than an acknowledgment by the New York Times that they found hackers in their network (that’s not really news); that China was to blame (that’s Mandiant’s go-to culprit), and that no customer data was lost (i.e., the Times isn’t liable for a lawsuit).

“I think that Mandiant does good incident response work . . . however their China-centric view of the hacker world isn’t always justified in my opinion.”

Carr goes on to dissect the article and explain why he thinks other countries would have a motive to spy on the Times.

In his confirmation hearing this morning, Defense Secretary nominee Chuck Hagel was asked about cyber threats against the United States, although the question tended towards threats to physical infrastructure rather than espionage.

“Cyber, I believe represents as big a threat to this country as any one specific threat,” Hagel said, promising that he’d put “high priority” on the issue if confirmed. “It’s an insidious, quiet kind of a threat threat we’ve never quite seen before. It can paralyze a nation a second.”

Hagel said that the current Congress has to pick up cyber legislation that failed to pass last year. “You must, and you know that.”